Eufy under fire for cloud storage of images from Eufy Security Cameras without user consent

If you buy a security camera for your home these days, your probably in one of two camps. One, you want the full cloud solution with access to your vision at all times. Or, two, you don’t want a bar of the cloud, and you want all your images and cameras private and using local storage at your home. Eufy has been the brand getting the most traction in the second category – but that privacy claim has been blown out of the water in the last two weeks.

Security Consultant Paul Moore purchased some Eufy cameras and while testing them discovered something very wrong. His “locally stored” images were in fact saved to the cloud.

His videos detailing this are quite comprehensive, first when discovering it, and then when proving that it wasn’t even just a simple failure.

In simple terms, Mr Moore purchased the Eufy products on the basis that they were all about local storage, and privacy, without any use of the cloud.

Eufy’s website is clear on this:

But Paul Moore sees it otherwise:

.@EufyOfficial – Couple of Q's

Why is my "local storage" #doorbellDual storing every face, without encryption, to your servers?

Why can I stream my camera without #authentication?!

But crucially, is this really the AES key for my video footage? Please tell me it's not. pic.twitter.com/uV70koBjLk

— Paul Moore (@Paul_Reviews) November 21, 2022

What Mr Moore’s research reveals is that a thumbnail of your camera’s view just before someone comes into frame is stored on the cloud, as well as a headshot of the person who walked into frame of the camera.

More troubling still is that the image appears to give a “user ID” number to each face, suggesting some form of facial recognition too.

Eufy responded to Mr Moore, saying the data was stored for notification purposes, and was deleted after 24 hours.

What this means, as I read it – is that the images are sent to the cloud, to allow for a “rich notification” to be sent to your smartphone. You know those notifications with images in them? That kinda thing. Great feature, but if it needs the cloud, and the user didn’t want the cloud, you’ve got some issues.

You have some serious questions to answer @EufyOfficial

Here is irrefutable proof that my supposedly "private", "stored locally", "transmitted only to you" doorbell is streaming to the cloud – without cloud storage enabled.#privacyhttps://t.co/u4iGgkWkJB

— Paul Moore (@Paul_Reviews) November 23, 2022

Perhaps more worrying than all of that, it’s also revealed by Mr Moore that his camera’s stream can be viewed unauthenticated with just a URL using VLC player.

Now, it should be clear, how someone obtains your stream URL is a tough call – likely near impossible, but the fact that it is a URL that is without authentication leaves it open to a severe breach of privacy.

Unfortunately for Eufy, this isn’t their first privacy drama. In early 2021 Aussie families discovered they were viewing the wrong cameras on their app, with a bug in the Eufy system switching users cameras to other accounts causing a solid privacy worry for a lot of owners.

Eufy has a great reputation among owners of it’s products, they are priced well, and offer this local solution without subscription.

However, the fact their engineers needed to use the cloud when their marketing claimed the product used local storage is cause for concern among existing and potential users.

For me, if privacy is a concern, I’d be sticking with Uniden for a local storage based solution, and Arlo for the best local or cloud based solution.

We’ve got some Eufy products in for testing, we’ll check them out for camera quality and features for sure, but any recommendation is going to have to be couched in these privacy concerns.